Reddit reveals hackers stole code, email addresses, and account data

Popular news aggregation and discussion site Reddit was hacked in mid-June, the company disclosed today, exposing some users’ current email addresses and a database containing older accounts. The site is blaming intercepted SMS authentication messages for making the main attack possible, and encouraging “everyone” to move to token-based two-factor authentication to protect their data going forward.

Reddit says that the hacker was able to grab backup data, source code, and other logs from its hosting providers, notably including an old database holding 2005 to 2007 Reddit user data — usernames, email addresses, public messages, and private messages. Additionally, the hacker obtained logs containing email digests sent by Reddit from June 3 to June 17, 2018, including usernames, associated email addresses, and suggested posts from “select popular and safe-for-work subreddits you subscribe to.” The hacker also took source code and other private files largely impacting Reddit employees.

Users affected by the 2005-2007 database breach will have their passwords reset, and receive either private messages or emails to notify them that their information was affected. Reddit also advises that affected users change their passwords on any other sites on which they used the ones Reddit had on file.

Only users with the “email digests” user preference checked during the June 3 to June 17 period need be concerned about the latter compromise. In that case, Reddit suggests removing “anything on your Reddit account that you wouldn’t want associated back to that address.” It’s also generally suggesting use of two-factor authentication and a strong unique password to mitigate future issues.

Reddit is one of the world’s top 10 websites by visits, boasting 234 million unique users and 542 million monthly visitors as of February 2018. It is cooperating with law enforcement to help identify the hacker, and says that it has enhanced its logging, added additional encryption, and required token-based two-factor authentication to secure its own systems. The site recently hired a head of security, and is now hiring additional people to expand its in-house security team.